This is the second part in my series on reports provided in SharePoint. Today I am going to focus on the OOTB SharePoint audit logs that will generate reports you can run as a site collection administrator. The data gathering for these reports is not enabled by default so I will show you how to do that. I will also discuss what you can get from the reports and how you can configure them to search for data you need.
You can view part one of this series by clicking here.
SharePoint Site Collection Auditing
SharePoint will audit just about anything that happens within a site collection. Auditing is tracked within the site collection’s content database so be careful to monitor and clean up as it can take over your available space (but I will get to this more later). Auditing will track actions made against, sites, lists and libraries (including their contents), content types, and the security around all these items. You can set your auditing to track all these items or only a select few if you wish. Because auditing is tracked at the Site Collection level and down, users are required to be Site Collection Administrators in order to configure and generate the audit reports.
Configure Site Collection Auditing
- Navigate to the root of the site collection you wish to audit against
- Click on the settings cog and select Site Settings
- Under Site Collection Administration select Site collection audit settings
- Set “Automatically trim the audit log for this site?” to Yes. If you do not select this option, the audit logs will continue to increase and will eventually take over your site collection’s available database space.
- Set the number of days you wish to maintain your audit logs. Ensure this value meets your environment’s data retention policies.
- If you only want to store the data within SharePoint for a certain amount of time but want to maintain the logs much longer you can select a location to place the trimmed logs for long-term storage and then move them off to a new location.
- Next select the document (libraries) and item (lists) level auditing you wish to accomplish. Options for auditing include:
- when an item is opened or downloaded or when the properties are viewed
- when any component of an item (properties or item itself) are edited (or created)
- when an item is checked out and checked in
- when an item is moved or copied to another location
- when an item is deleted or restored.
- Finally select the level at which you want to audit sites, lists and libraries. Options for this level of auditing include:
- when a content type or site column is modified (including created)
- when content is searched
- when permissions are modified
- It’s just my opinion, but if you are going to audit, you might as well audit it all.
- Once your options are selected, click OK.
View Audit Reports
- Navigate to the root of the site collection you wish to audit against
- Click on the settings cog and select Site Settings
- Under Site Collection Administration select Audit log reports
Audit reports are divided up into three sections of pre-configured reports and an option to create your own custom report based on the available audit logs.
Content Activity Reports
These reports are built around tracking the content of your site collection. It will report on things like when and by whom a document or list item was viewed, edited or deleted by someone. You can also generate a report that will indicate any additions or changes to content types and list settings.
Information Management Policy Reports
You have two reports under this heading to choose from. The first report (Policy modifications) will report on any changes (including creation) to the the rules that have been applied to the Information Management Policies of the site. The second report (Expiration and Disposition) generates a report around documents that are expiring or ready for disposition
Security and Site Settings Reports
As in the information management reports, you have two predefined reports. Auditing settings provides information when any audit settings were modified. Security settings will generate a report on any security configurations that were modified.
To generate one of the predefined reports perform the following steps:
- Click on the predefined report you wish to run
- Select the location you wish to store the report (note, you can’t select the report name, but can change it post-creation).
- Click Ok.
- Once the report is generated, you can access it at the save location or click on the link: “Click here to view the report” to open it directly.
Create Custom Report
You have the option of creating a custom report that can contain specific audit event types and can be further configured to report on a particular location to build report from, a date range to report on and if you are only looking at viewing the actions of a particular user, you can set those options as well. To create a custom report perform the following steps:
- Select the save location
- If you wish to limit it to a site place a check mark in “Restrict this report to:” and then click on Browse to select a site to report on.
- If a particular date range is required, enter it in the Date Range section. Including Start date and time and End Date and time.
- Select the user(s) you wish to report on.
- Select the events you are looking to generate the audit report from.
- Click OK.
Reading Audit Reports
Audit reports are generated with two tabs:
- Audit Data – Table – provides a summary and count of the actions occurred. The headings indicate what action occurred and the data within indicate how many times that action occurred.
- Report Data 1 – this section provides the detailed information of the event being tracked. It can contain the following information:
- Site ID: The GUID of the site
- Item ID: the GUID of the item that is being audited
- Item Type: the type of item (Site Collection, Site, List, list item, etc).
- User ID: user who caused the event to occur
- Document Location: if a document where it is located when audit event occurred
- Occurred (GMT): time the event occurred
- Event: Type of event. This corresponds to the headings in the Audit Data tab.
- Custom Event Name: if this is a non standard SharePoint event then the name will go here.
- Event Source: SharePoint unless from a custom app. Then the feature GUID is displayed
- Source Name: Name of custom source
- Event Data: XML description of the event being audited
- App ID: GUID of app that generated the event (if from an app).
So that covers the basics of OOTB reporting within SharePoint. There is much more you can accomplish using Reporting services and custom code, but that is a post or posts for another day.
Thanks for reading!
Comments
While creating a custom report, under “Restrict this report to” I selected one of the site and then generated the report, but getting the report for the entire site collection with data from other sites as well. Is there any other setting to generate data for a particular site?
I have noticed this often as well and never found a way to force it to maintain the restrictions I set. However, keep in mind the report generates to a format that you can filter and sort with excel. My suggestion is since there doesn’t seem to be a way to refine during the building of the report (for all that you should be able to), instead format the report once generated. You can probably create a macro to do this for you.
Thanks David.
Hi David,
Do you know if the reports can be automatically generated periodically within SharePoint Online? For example, instead of directly clicking the log I want, can I set up some sort of workflow/job to generate those reports to a specific document library at the end of every month?
Unfortunately I don’t. I haven’t needed to work much with SPO in this space unfortunately. You might be able to do it with PowerShell and CSOM (so having to write code), but I know of no way to do it with WF. I am pretty confident you can’t do it on-prem, which makes me even more confident you can’t do it online.
Is it possible to know which particular logged in user caused the event? On my Audit Logs all User IDs are set to System Account
Thanks!
Not that I am aware of. SharePoint is simply logging the username of the account that created the event. Are the events you are viewing being caused by an internal process? If so, it may be running under the system account. Or if you are running a custom process that uses elevated privileges it will also likely appear to log that way as well.
Thanks for reply!
It is a Project Server, so I guess there should be some way to know which user published, saved or checked in a project in that logs instead of the User ID SHAREPOINT\system.
So you are looking at the logs in Project Server or looking at the logs for items handled by Project Server. Either way, I do apologize as I have very little experience with Project Server. I honestly don’t know how it logs entries to SharePoint.
Hi, thanks for the post. My Content Viewing report is not getting generated . Its throwing below error :”This report contains no data. Please ensure data for this report is being captured by the current audit settings. It may also take some time after audit settings are changed for events to surface here”. Please help me on this.
I would check to see what options are enabled in your site collection audit settings. You can access them from the root of your site collection. Under Site Settings -> Site Collection Audit Settings you are able to configure this. I would ensure all items are checked and go from there. A quick note though. If you’re ysers are using Windows Explorer to view open and edit files, your audit logs are going to be very limited. Most auditing is not captured when accessing via Windows Explorer.
As for the time it takes to show up. Remember the data is read from the database and not from an internal log. I wouldn’t be surprised if there wasn’t a timer job that needs to run in order to transfer the data into the proper tables of health and Usage DB.